The Law School Magazine ·
Winter 2013 : Features

For the average American, the morning may begin with checking email and scrolling through one’s Facebook feed before even getting out of bed. During the morning commute, a GPS satellite interfaces with the car’s computer, giving directions to the first appointment of the day. But first comes a stop at the local coffee shop, where the coffee club card is swiped and a few text messages are swapped. At the office, online search engines are used to find everything from answers to work-related questions to the funny YouTube video everyone is buzzing about.

While technological advances and tools developed in the last 20 years have afforded the average person convenience and entertainment, they have afforded private industry and government agencies the ability to track and monitor our movements, interests, and personal information – often without our knowledge.

“One of the current challenges is how to respond to the fact that we carry tracking devices for the first time in human history,” said Peter P. Swire, the C. William O’Neill Professor in Law and Judicial Administration at The Ohio State University Moritz College of Law. “Cell phones are tracking devices, and most of us didn’t have a GPS locator on our life until the last few years. That’s a huge change.”

Consumers may appreciate the cookies that enable a clothing retailer to deliver only the advertisements that are relevant to them, but those same private citizens recoil at the thought of searches of a more personal matter being followed as well. If Target can develop a sophisticated algorithm and data-mine its way to figuring out that a teenage girl was pregnant before her own father was made aware, is it much of a stretch to imagine other entities could be gleaning our own personal, sensitive health information?

Debates about Do Not Track registries are under way, and regulatory frameworks across the globe are experiencing updates that would affect policing agencies and private industry. Accordingly, a new era is beginning in the privacy field, which has erupted over the last 20 years and is likely to only grow further, according to experts and those presenting at November’s Ohio State Law Journal symposium “The Second Wave of Global Privacy Protection.”

Kirk Herath, vice president and privacy officer for Nationwide Insurance Companies, cited his own career history at Nationwide as an example of how quickly the industry has expanded. In the late-1990s, he was an “army of one” at the company, charged with discerning what privacy issues surrounded the information they had on file about customers. Today, he works in a department with 16 other people who ensure Nationwide and its vendors meet privacy protection compliance standards across all 50 states.

As technology continues to develop at breakneck speed, it’s likely the privacy profession will continue to swell in numbers. The International Association of Privacy Professionals, founded in 2000, estimates there could be as many as 200,000 privacy professionals working in the U.S. in the next decade.

Swire jokes that it is an area of specialization that has kept him in a job for the last 20 years. In his office on the second floor of Drinko Hall hangs a framed USA Today article from June 7, 2000. The piece focuses on contributions Swire, the nation’s first Chief Counselor for Privacy, had made with privacy rights legislation in the medical field as well as banking industry. Fast-forward to November 2012, and Swire is the subject of more national coverage in The New York Times, as he accepted the challenge of co-chairing a World Wide Web Consortium working group developing Do Not Track standards, which would give Internet users greater control over what is gathered about them.

“Industry wants to send cat food ads to cat owners and not to dog owners. Industry will say that’s a benefit to the consumer because they have a more interesting and relevant Internet,” said Swire, who is now thrust into a mediation role as the debate rages on. “From the privacy side, these advertising activities create databases that consumers have little knowledge about and little control over, and the data’s held by companies consumers have rarely heard about.”

A lot is gathered, shared

In the early days of the Internet, first-party collection of data was the norm. A consumer would go to Amazon.com to buy a book, and Amazon received all of the data. Today, however, dozens and maybe even hundreds of cookies can be placed on one’s computer after visiting just a single site, Swire explained. Information on what is clicked on many pages later is then sent to numerous third-party companies.

“Some of those cookies are there to measure what advertisements you’ve seen to make sure the right people get paid for the ads. Those are sort of boring, accounting-type of things,” Swire said, “but it also creates databases that privacy advocates are concerned about.”

It’s not just privacy advocates who are concerned. Consumers in general have become increasingly aware of how closely their footsteps online are followed when information about something they were just discussing in a private email is used to generate an advertisement three or four page clicks later.

Inside the Washington, D.C. beltway, it’s referred to as the “creepy factor,” according to Commissioner Julie Brill of the Federal Trade Commission. “I think it’s important to give consumers notice and choice about this practice,” Brill said during the law journal symposium in November.

The FTC enforces limited Internet privacy laws and hunts data brokers violating laws in the fair credit reporting space. Brill said the commission has gone after companies that have taken more rigorous action, including a rent-to-own business that activated cameras on computers inside the homes of customers who were delinquent in payment.

The FTC also is responsible for overseeing the companies that have volunteered to act on Do Not Track technology – a group that includes Google, Yahoo!, and Microsoft. “The ad industry did step up in that issue,” Brill said, “but we really have to get this message out about what you can and cannot do with consumers’ information.”

In addition to data being collected about consumers in the background, Internet users are sharing personal information with a broader audience at a “staggering” rate, commented Woodrow Hartzog, a professor at the Cumberland School of Law at Samford University. “Social media is a threat to its users’ privacy and, in many cases, people who don’t use it.”

Social media users know they pose a threat to themselves in many ways. A Carnegie Mellon study found that most people have regretted something they posted, often within a day of doing so. Participants also reported that they tended not to change default settings, resulting in a wider dissemination of information than they realized. As a result, researchers are examining the effect of privacy “nudges” designed to help a person stop and think before posting: Participants said they valued a countdown clock that appeared for a few seconds prior to the post going live and a tool that quickly displayed the profile pictures of people who could read the participant’s post. Both prompted greater reflection of what they were sharing.

While such nudges could save users some embarrassment, experts suspect such tools are unlikely to be embraced by social media companies. People might refrain from posting information that is valuable to advertisers.

It’s precisely why Hartzog advocates that modern revisions to privacy protection regulation extend coverage to social media sites. Provisions should regulate: respecting an individual’s expressed boundaries, so their personal information can only be accessed for specific purposes; establishing identity integrity, so people have a right to establish and maintain their own identity without fear of imposters posing as them online; and maintaining network integrity, so people do not feel forced to “friend” others, including the boss.

Legislation, judicial consideration, and even the White House’s proposed “Privacy Bill of Rights” all focus on the backstage data. Hartzog said, “Protections must be broader in scope if they’re to be meaningful at all.”

Government biggest consumer of data

While many look to policymakers to draft the next round of privacy regulation, other parts of the government are consuming large quantities of data as part of surveillance and investigation.

Facebook and other social media sites, cell phone records maintained by third-party entities, and a smartphone’s subscriber identity module, or SIM card, are just a few of the places police agencies look when building their body of evidence in criminal investigations, but court opinions have not answered what implications there may be under the Fourth Amendment, explained Professor Ric Simmons.

“The good news for police is that today, when most people communicate, they’re keeping a semi-permanent record of what they’re saying to each other. That makes for great evidence,” he said, “but they’ll almost always need a warrant to go after the computers and smartphones.”

However, only a subpoena is needed for most requests made of third parties that maintain information on customers, including private companies that have tracking tools on customers’ phones and cars, said Simmons, who taught a seminar on computer crime and surveillance this fall. Paraphrasing another expert in the field, Simmons explained that an FBI agent may not even need to enter the
field for surveillance in another decade. Rather, investigators could simply request emails from Google, download a person’s Foursquare check-ins, and ask major retailers for the detailed purchasing records they keep to build the case for an arrest warrant.

“We give so much information to private companies that we aren’t necessarily aware of – everything from our online shopping habits to GPS tracking of our location,” Simmons said. “Any information you give to a third party is not protected under the Fourth Amendment. If you share it with another person, you share it with the world, including the government.”

The U.S. leads the world in the number of requests countries make for Google users’ data, according to a report the company released in November. In the first six months of 2012, nearly 8,000 requests were made for information on more than 16,000 accounts. Government entities wanted to review various Google products, including Gmail, Google Docs, and search queries. It was a 26 percent increase in requests from the six months prior. Other companies, including Twitter, Dropbox, and LinkedIn, have started reporting out the government requests for data they receive as well.

Meanwhile, consumers share information about their location to cell phone service providers each time they check email, send a text, or make a call. The information does not require voluntary disclosure from the customer; it’s generated automatically. Cell phone companies keep months of data on file, and they do not have to disclose to their customers when such records are passed on to law enforcement. Circuit court rulings have contradicted one another on the issue.

“Courts are by definition reactive, so decisions don’t come down until years and years after the technology comes out. Legislatures at least can be proactive, but they are still kind of slow,” Simmons said. “The final possibility is to have administrative rules set up by bodies that oversee policing agencies. The problem there is that all those different administrative bodies have different agendas.”

The terrorist attacks of Sept. 11, 2001 greatly altered the way privacy and security concerns are weighed, Swire explained. He chaired a White House working group in 2000 that proposed a legislative update for wiretap laws in the Internet age. Many of those topics were included in the USA PATRIOT Act of 2001, but gone was the update to help both privacy and government access Swire helped create. In its place were policies that gave the government greater access with fewer safeguards for citizens’ privacy.

“After 9/11, the concern was about sleeper cells and other civilians hiding in a sea of civilians, and so there was huge pressure to increase to surveillance,” he said. “The policy battles today are about third parties, all the other entities that may be holding relevant data.”

Regulatory frameworks under review

The European Union led the way in the 1990s in creating a regulatory framework for privacy protection, and the body is likely to do it again today, experts believe.

The common market required the EU to develop ways for data to move freely through member states’ borders in the 1990s, just as they had made it easier for goods and people to move. The EU’s 1995 Data Protection Directive had two goals: to create one general set of laws for data transferring and to protect people’s privacy in the process. Privacy, the EU stated, was to be considered a human rights issue.

“Europe was being so careful about privacy they didn’t want to ship off (data) to some unsafe place where people’s rights were being violated,” Swire said. “The major unsafe place where people’s rights were being violated was called the United States of America – at least that was the worry of Europe.”

In 2000, the Safe Harbor Principles were negotiated between the U.S. and EUAmong other actions, companies that voluntarily follow the principles vow to:

give notice to individuals about what data is being collected and how it will be used;

offer consumers the choice to opt out of having collection forwarded to a third party;

forward information only to third parties that also follow Safe Harbor Principles;

make reasonable efforts to prevent loss of information; and

allow individuals to access the information held about them and correct or delete inaccuracies.

Proposed updates to Safe Harbor Principles and the EU directive would affect consumers and companies alike, Swire explained. U.S. companies would have one leading government agency to deal with instead of 25 or more national regulators, but the penalty for breaking the guidelines would be much steeper – 2 percent of global revenues. “For a billion-dollar company, that gets up into the tens of millions of dollars,” Swire said.

European policymakers also have suggested creating a “right to be forgotten” provision that would enable individuals to delete a wide range of accurate information from database searches, including newspaper articles about crimes committed in one’s past. That alone runs afoul of the U.S. approach to free speech protection under the First Amendment.

While there are nearly 100 countries around the world with private sector data privacy laws, the U.S. does not have a comprehensive set. Instead, privacy policy in the 1990s developed on an ad hoc basis, around health care or minors, for example. In what he has dubbed the “second wave” of privacy protection, Swire said, “We may see specialized bills about location tracking or in other sectors. But it’s hard to pass anything in Congress these days, and privacy’s complicated. To pass a big privacy bill would be difficult, and so that puts pressure on everyone else to figure out how to structure this stuff.”

Industry self-regulation has not always served the public interest well. A Government Accountability Office study released in October concluded that wireless companies, for example, are not adequately explaining to customers how location information is used. Many disclosure policies did not meet an “informed consent” threshold, and the report recommended action from the National Telecommunications and Information Administration and the Federal Trade Commission.

The White House unveiled a “Consumer Privacy Bill of Rights” in February, designed to guide development of enforceable privacy policies that would give Internet users more control over how their information is used.

“When you’re in the middle of the wave, you don’t know how the surfing’s going to turn out – whether you’re going to crash or get on shore safely. If you’re surfing this way, it’s hard to tell quite where you’ll end up,” Swire said. “We’re in a period where there are new major things – location tracking, social networks, and this third-party ecosystem for advertising. The public policy world is going to shape how those operate.”